win21 major PHP attack incoming

[Stephen]

There is something hitting webshell on win21 with many hundreds or requests per second, we are working to isolate it and block it off, temporarily we have disabled webshell from working.

 

[Manish]

Re: win21 major PHP attack coming

It is DDOS like attack coming from 100's of IPs. It is hitting perl and such too but more limited than php.

 

[Stephen]

Re: win21 major PHP attack coming

This attack is pretty brutal log is growing and several MB per minute on blocked request IPs log.

However we have it mostly under control CPU usage is still a bit high as it is filtering on the serverside by request.

 

[Stephen]

Re: win21 major PHP attack coming

the amounts of IPs involved and the intensity is increasing in size now, we still have it mostly under control but CPU usage is very high due to the number of requests.

 

[Stephen]

Re: win21 major PHP attack coming

We have stopped the entire site now, which means hsphere may hang on displaying ftp info or other information from win21 while we allow remaining hosted websites CPU priority over the attackers.
This is allowing SITES to work but hsphere may not for some functions

 

[Stephen]

Re: win21 major PHP attack coming

Attacks have not slowed at all still getting between 5-7MB of logs per minute of various IP addresses, but impact on server is minimal except for hpshere not able to load a few items in CP.

edit: hsphere should be working now, only Webshell is still down, we will bring it up as soon as possible.

 

[Stephen]

Re: win21 major PHP attack coming

Win21 is holding up fine client side, but is still taking a beating from the DDOS attack, it is just as strong or stronger now than when it was first happening.

We are having to clear now about 120MB of logs every 5 minutes just to keep logs from going out of hand.

 

[Stephen]

Re: win21 major PHP attack coming

It looks like the actual site being targeted has been set in the sites of the attack now.

We will be mailing the user and at minimum disabling PHP on that site.

 

[Stephen]

Re: win21 major PHP attack coming

The attack slowed a bit last night but is back in a big way now and win21 is suffering quite badly, I am working to resolve it now.

 

[Stephen]

Re: win21 major PHP attack coming

rebooting Win21 for some settings to take affect and hopefully help in this matter

 

[Stephen]

Re: win21 major PHP attack coming

reboot is completed and seems to be doing a bit better now.

 

[Stephen]

Just as an update, attacks are ongoing still at a very high level. We are going to try some other means to block the IPs involved today and see how it works.

 

[Stephen]

We have enabled webshell on win21 now and watching for any abuses of it by the DDOS closely.

 

[Stephen]

Checking now as the application pools are crashing.

 

[Stephen]

all up now, the DDOS has hit webshell HARD with the authentication feature, and we have disabled that authentication for now.

 

[Stephen]

ASP pages are running quite slowly now, working to resolve what may be wrong here, it had happened in the last 45 minutes.

 

[Stephen]

I am going to head to the datacenter and work on building a new server, and we will migrate users off this server and shared IP so that users will not be affected.

I have null routed over 800 IPs already, and it looked to be slowing a lot, but within the last minute of 1840 new IPs have attacked.

We will not be migrating the site that was attacked.

 

[Stephen]

I am making some changes and rebooting very quickly

 

[Stephen]

server is back up, IIS back up, and so far much faster, we will see how it goes long term. I am still wanting to migrate users off this server as the best course just due to the fact that the shared IP is continually getting hammered non stop most of the week now.

 

[Stephen]

ASP is going strong and fast now.